May 12th marked one of the largest cyber-security breaches in history. With the onset of a ransomware strain titled ‘WannaCry’ several variants have since been re-engineered and introduced into the wild. Our crew of Threat Intelligence Researchers, Incident Response Team, and Security Operations Center personnel have diagnosed of few of the tools leaked by the Shadow Brokers that were illegally acquired from NSA’s Equation Group. The preceding information outlines the various tools leaked that assisted in the cyber attack for the purpose of creating backdoors, modification of registry keys and configuration files, and lateral movement.
The preceding list supports the primary attributes of the attack:
1. 150 countries affected
2. Hitting all major sectors to include medical, industrial, financial
3. More than 200,000 assets compromised
4. Variants to the strain rapidly developed within hours of identification and patch release
5. Attack vectors include phishing, spamming, capitalizing on Microsoft vulnerability CVE-2017-044
6. Utilized a ‘Kill Switch’ capability that would terminate the exploit if it reached a specific registered domain name
7. Tools used in exploit were supposedly developed by NSA’s hacking crew the ‘Equation Group’ and acquired by the Shadow Brokers with attempt to profit off selling via black market
Fuzzbunch Malware Strain
Fuzzbunch is an attack with a structure very similar to that of Metasploit. It has integrated many vulnerabilities that are invoked through plugins.
Fb.py – Executing the fb.py script activates the Fuzzbunch exploit with the following commands illustrated below.
Fuzzbunch ‘Exploit’ Category
Exploit – Located in the Windows directory and includes vulnerability exploit programs targeting Windows systems and application software to include MS-SMB and Lotus (acquired by IBM) mail systems.
Fuzzbunch ‘ImplantConfig’ Category
ImplantConfig used to implant designated .dll and .exe programs to target devices.
Here are some descriptions about the main plugins.
Fuzzbunch ‘Payload’ Category
Payload – Located in \payload directory under Windows and is used to further operations after successful exploit. This includes installing backdoors, enumerating processes, adding\deleting\modifying\querying registry values, operating RPC service, and so on.
Fuzzbunch ‘Special’ Category
Special – Located in \special directory under Windows including the latest exploit programs such as Eternalblue and Eternalchampion that are specifically targeting Windows SMB.
The vulnerability has been fixed by Microsoft patch MS17-010 in March 2107 to cover majority of MS OS’s w/ exceptional case for XP released earlier this month.
Fuzzbunch ‘Touch’ Category
Touch – Located in the \touch directory under Windows with its main function to probe for designated vulnerabilities. It is similar to ‘Exploit’ but used to find vulnerabilities only not to exploit them.
DanderSpritz Malware Strain
DanderSpritz is a remote administration tool (RAT) and can be used with Fuzzbunch in conjunction. When a Fuzzbunch attack is successful and the Trojan is implanted to the targets attackers can use DanderSpritz to control the victim’s devices remotely.
The DanderSpritz interface is depicted below.
DanderSpritz also uses plugins to invoke each module and are located under the ‘Resource’ directory.
How To Protect Your Assets
- Ensure that all your software and security applications are patched and up to date
- Ensure that you have security/anti-virus software on all your end-points especially public facing servers
- Use commercial or open source threat intelligence to block your organization’s access to command & control servers
- Use commercial or open source threat intelligence to investigate any IP/URL addresses you have that may exhibit suspicious behavior
- Keep multiple backups that are encrypted in more then one location with encryption keys in separate locations
- Disable Windows SMBv1 if your still using and upgrade to SMBv2 & SMBv3
- Contact NSFOCUS to help you protect your systems infrastructure through a strong line of security appliances or consultation services